The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-affected companies and their business partners to notify after a breach of protected and unsecured health information. Similar provisions for reporting security breaches have been implemented and enforced byFederal Trade Commission (FTC), apply under Section 13407 of the HITECH Act to personal health record providers and their third party service providers.
Definition of Non-Compliance
In general, a breach is any use or disclosure not permitted under the Privacy Rule that compromises the security or privacy of protected health information. The improper use or disclosure of protected health information will be considered a violation unless the affected company or business partner demonstrates a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information concerned, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- whether the protected health information was actually purchased or viewed; Is
- The extent to which the risk to the protected health information has been mitigated.
Affected companies and business partners may be authorized to provide necessary notifications of violations following improper use or disclosure without conducting a risk assessment to determine the likelihood that protected health information has been compromised.
Protected and uninsured health information and advice
Affected companies and business partners are only required to provide the required notices if the breach involves protected and unsecured health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or unreadable to unauthorized persons through the use of any technology or methodology specified by the Secretary in the Guide.
These guidelines were first issued in April 2009 for public comment. The guidance, re-released after considering the public comments received, specifies encryption and shredding as technologies and methods to render protected health information unusable, unreadable, or unreadable by unauthorized parties. In addition, the policy also applies to identifiable health information in personal health records that is not protected by FTC rules. Affected companies and business partners, as well as companies that are subject to the FTC Rules and protect information as specified in the Guidance, are exempt from notification of a breach of such information.
See guidance on specifying technologies and methods that render protected health information unusable, unreadable, or unreadable to unauthorized parties.
Breach Notification Requirements
Following a breach of protected and unsecured health information, affected companies must report the breach to the individuals concerned, the Minister and, in certain circumstances, the news media. In addition, business partners must notify affected companies if a failure occurs at or through the business partner.
Affected organizations must notify data subjects when they discover a breach of unsecured protected health information. Affected companies must send this individual notification in writing by post or alternatively by e-mail if the data subject has consented to the electronic receipt of such notifications. If the affected entity has insufficient or outdated contact information for 10 or more individuals, the affected entity must provide an individual replacement notice by posting the notice on the home page of its website for at least 90 days or by providing the notice in the major media. Print or post where affected individuals are likely to be. The affected company must provide a toll-free number, active for at least 90 days, for people to use to find out if their information was involved in the breach. If the Covered Company has insufficient or outdated contact information for fewer than 10 individuals, the Covered Company may provide a replacement notice through an alternate form of notice in writing, by telephone, or otherwise.
These individual notifications must be made promptly and in no event more than 60 days after discovery of a breach and must, to the extent possible, include a brief description of the breach and a description of the types of information affected by the breach, actions taken by data subjects should take to protect itself from potential harm, a brief description of what the affected entity is doing to investigate the breach, mitigate harm and prevent future breaches, and contact information for the affected entity (or business partners, as appropriate) .
With respect to a breach by or through a business partner, while the affected company is ultimately responsible for ensuring that individuals are notified, the affected company may delegate responsibility for individual notification to the business partner. Affected entities and business partners should consider which entity is best placed to notify the individual, which may depend on a number of circumstances, including the functions that the business partner is performing on behalf of the affected entity and which entity the relationship is with the person has.
Affected businesses where more than 500 residents of a state or jurisdiction are affected by a violation must also notify prominent media serving the state or jurisdiction in addition to notifying affected individuals. The affected companies will likely forward this notice in the form of a press release to the appropriate media companies serving the affected area. Like the individual notice, this media release must be made promptly and in no event more than 60 days after discovery of a violation and must contain the same information as is required for the individual notice.
Message to the Secretary
In addition to notifying affected individuals and the media (if applicable), affected organizations must notify the Minister of breaches of protected and unsecured health information. Affected companies will notify the registrar by visiting the HHS website andelectronically complete and submit a Non-Compliance Report Form. If a breach affects 500 or more individuals, the affected companies must notify the registrar immediately and in any case no later than 60 days after the breach. However, if fewer than 500 individuals are affected by a violation, the affected entity may notify the Secretary of such violations on an annual basis. Reports of violations affecting fewer than 500 people must be submitted to the Secretariat no later than 60 days after the end of the calendar year in which the violations were identified.
Notification by a business partner
If a breach of unsecured protected health information occurs in or by a business partner, the business partner must notify the affected entity upon discovery of the breach. A business partner must notify the affected company immediately and no later than 60 days after discovering the violation. To the extent possible, the business partner must provide the data subject with the identity of all individuals affected by the breach, as well as any other available information that the data subject is required to provide in its notification to data subjects.
Administrative requirements and burden of proof
Affected companies and business partners may have the burden of proving that all required notices were made or that the use or disclosure of unsecured protected health information was not a violation. Therefore, with respect to an improper use or disclosure, an affected entity (or a business partner) must retain documentation demonstrating that all required notifications have been given, or alternatively documentation demonstrating that no notification was required: (1 ) Your risk assessment , showing that there is a low probability that the protected health information has been compromised through unauthorized use or disclosure; or (2) the application of any other exception to the definition of "breach".
Affected companies must also meet certain administrative requirements related to reporting violations. For example, affected companies must have written policies and procedures for reporting violations, train employees on those policies and procedures, and develop and enforce appropriate sanctions against employees who fail to comply with those policies and procedures.
Instructions for Covered Entities to Submit Notices of Default to the Registrar
Report the violation to the secretariat
View violations affecting 500 or more people
Breach of protected and unsecured health information affecting 500 or more people.View a list of these violations.